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A LOGICAL PROCESS CALCULUS* 

RANGE CLEAVELANDt AND GERALD LUTTGENt 

Abstract. This paper presents the Logical Process Calculus (LPC), a formalism that supports hetero- 
geneous system specifications containing both operational and declarative subspecifications. Syntactically, 
LPC extends Milner’s Calculus of Communicating Systems with operators from the alternation-free linear- 
time p-calculus (LT/i). Semantically, LPC is equipped with a behavioral preorder that generalizes Hennessy’s 
and DeNicola’s must-testing preorder as well as LT//’s satisfaction relation, while being compositional for 
all LPC operators. From a technical point of view, the new calculus is distinguished by the inclusion of 
(i) both minimal and maximal fixed-point operators and (ii) an unimplementability predicate on process 
terms, which tags inconsistent specifications. The utility of LPC is demonstrated by means of an example 
highlighting the benefits of heterogeneous system specification. 

Key words, heterogeneous specification, must-testing, process algebra, temporal logic, testing theory 

Subject classification. Computer Science 

1. Introduction. Over the past two decades, a wealth of approaches to formally specifying and rea- 
soning about reactive systems have been introduced. Most of these may be classified according to whether 
they are based on process algebra [3] or temporal logic [27]. The process-algebraic paradigm is founded on 
notions of refinement, where one typically formulates a system specification and its implementation in the 
same notation and then proves that the latter refines the former. The underling semantics is usually given 
operationally, and refinement relations are formalized as preorders. In contrast, the temporal-logic paradigm 
is based on the use of temporal logics [27] to formulate specifications, with implementations being given in 
an operational notation. One then verifies a system by establishing that it is a model of its specification, in 
the formal logical sense. The strength of the former paradigm is its support for compositional reasoning, i.e., 
one may refine system components independently of others. The benefit of the latter paradigm originates in 
its support for abstract specifications, where irrelevant operational details may be ignored. Both approaches 
may be given automated support in the form of model checking when the considered systems are finite-state. 

The objective of this paper is to develop a compositional theory for heterogeneous specifications that 
uniformly integrates both refinement-based and temporal-logic specification styles, thereby allowing both 
approaches to be taken advantage of when designing systems. Accordingly, we present a novel Logical 
Process Calculus (LPC) that combines the algebraic operators of Milner’s Calculus of Communicating Systems 
(CCS) [25] with the logical operators of the Alternation-Free Linear-Time /i Calculus (LT/x) [32]. More 
precisely, we show that logical disjunction in LT/x may be understood as internal choice, complementing 
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the external choice operator in CCS, and logical conjunction in LTp as synchronous parallel composition, 
complementing asynchronous parallel composition in CCS. Moreover, LT fi is equipped with two recursion 
operators, a least fixed-point operator and a greatest fixed-point operator, which allow for the finite but 
unbounded, and the infinite, unwinding of recursion, respectively. The behavior described by the greatest 
fixed-point operator in LT/t thus corresponds to recursion in CCS. In the light of this discussion, LPC extends 
CCS by operators for disjunction, conjunction, and minimal fixed-points , as well as the basic processes true 
and false , and thereby allows for the encoding of both VJp formulas and CCS processes in LPC (cf. Sec. 2). 

The semantics of LPC is based on the testing approach of DeNicola and Hennessy [11]. The hallmarks of 
this theory are the use of transitions to model both processes and tests and the differentiation of processes 
on the basis of their responses to tests. Accordingly, we equip LPC terms with a transition relation defining 
the single-step transitions that specifications may engage in. We also introduce a novel unimplementabil- 
ity predicate on terms whose role is to identify inconsistent specifications, such as false , that cannot be 
implemented. Both the transition relation and the unimplementability predicate are defined via structural 
operational rules, i.e., in a syntax-driven fashion. We then carry over the definitions of must-testing in [11] 
to our setting and show that the resulting behavioral preorder (i) conservatively extends the traditional 
must-preorder between CCS specifications; (ii) is compositional for all operators in LPC; and (iii) naturally 
encodes the standard satisfaction relation between CCS processes and LTp formulas (cf. Sec. 3). Thus, our 
framework may be seen to unify refinement-based and logic-based approaches to system specification, while 
facilitating component-based reasoning. Technically, this expressiveness follows from the mathematically 
coherent inclusion of process and logical operators in LPC that is enabled by our treatment of unimple- 
mentability (cf. Sec. 4). Practically, the theory allows system modelers to freely intermix operational and 
declarative subspecifications using both system operators (e.g. parallel composition) and logical constructors 
(e.g. conjunction). This gives engineers powerful tools to model system components at different levels of 
abstraction and to impose declarative constraints on the execution behavior of components (cf. Sec. 5). 

2. A Logical Process Calculus. This section formally introduces our logical process calculus, LPC. 
We first present its syntax and then define its semantics via operational rules and a novel unimplementability 
predicate. Finally, the calculus is equipped with a refinement preorder on processes, which is an adaptation 
of DeNicola and Hennessy’s must -testing preorder [11]. 

2.1. Syntax of LPC. The syntax of LPC extends Milner’s CCS [25] with disjunction, conjunction, and 
least fixed-point operators. It also includes a process constant for the universal process true, while false 
will be a derived process term in our calculus. Formally, let A be a countable set of actions, or ports, not 
including the distinguished unobservable, internal action r. With every a € A we associate a complementary 
action a. We define A := {a \ a £ A} and take A to denote the set A U A. Complementation is lifted to A 
by defining a := a. As in CCS, an action a communicates with its complement a to produce the internal 
action r. We let a,b,... range over A and over A T := A U {r}. The syntax of LPC is then defined 

as follows: 

P ::= 0 | tt | x | w | a.P \ P + P | PV P \ P\P | PAP | 

P\L | P[f] | px.P | PkX.P | vx.P 

where k E N, x is a variable taken from some nonempty set V of variables, w is an infinite word over A whose 
inclusion will be discussed in the next section, set L C A is a restriction set, and / : A T — » A r is a finite 
relabeling. A finite relabeling satisfies the properties f(r) = r, f(a) = f(a), and |{a| f{a) a}| < oo. We 
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define L := {a. \ a E L} and use the standard definitions for free and bound variables, open and dosed terms, 
guardedness, and contexts. We require for fixed-point terms px.P, p^x.P, and vx.P that x is guarded in P. 
Intuitively, px.P stands for finite unbounded unwindings of P , while pux.P encodes finite unwindings of P 
bounded by k. A term is called alternation-free if every variable bound by a least (greatest) fixed-point px.P 
{vx.P) does not occur free in a subterm vy.Q ( py.Q ) of P. We refer to closed, guarded, and alternation-free 1 
terms as processes , with the set of all processes written as V. Finally, we denote syntactic equality by =. 

While it is obvious that LPC subsumes all CCS processes, it is not immediately clear that it also encodes 
all Alternation-Free Linear-Time /^-Calculus (LTp) formulas [5] 2 . The syntax of LTp formulas is given by 
the following BNF: 

$ ::= 0 | tt | ff | x | (a)$ | $ V $ | $ A $ | px.$ \ vx.$ 

In our setting, LT/< formulas will be interpreted over infinite action sequences and also finite ones leading to 
deadlock. This is why the ‘deadlock formula’ 0 is included in LT//. In LPC, ff corresponds to the term px.r.x 
and the next operator ‘(a)’, for a E A, to the prefix operator ‘a.’. 

2.2. Semantics of LPC. The operational semantics of an LPC process P is given as a labeled transition 
system (P,A T , — >, #, P), where V is the set of states, A T the alphabet, — > CVxA T xV the transition 
relation, #CP our unimplementability predicate that is discussed below, and P the start state. 

The transition relation is defined by the structural operational rules displayed in Table 2.1. For conve- 
nience, we write P -^4 P' instead of (P,a,P') E — ». Note that, for the CCS operators, the semantics is 
exactly as in [25]. As for the other constructs, tt can nondeterministically engage in any action transition, 
or decide to deadlock (cf. Rules (Truel) and (True2)). Process a.P may engage in action a and then behave 
like P (cf. Rule (Actl)), and similarly the process described by the infinite word aw may engage in its initial 
action a and then behave like w (cf. Rule (Act2)). The reason for including process w is to enable the mod- 
eling of arbitrary system environments within our calculus, including those exhibiting irregular behavior. 
The summation operator + denotes nondeterm inistic external choice such that P + Q may behave like P 
or Q, depending on which communication initially offered by P and Q is accepted by the environment (cf. 
Rules (Suml) and (Sum2)). Analogously, V encodes disjunction or nondeterministic internal choice, i.e., 
process P V Q determines internally, without consulting its environment, whether to execute P or Q (cf. 
Rules (Disl) and (Dis2)). Process P\Q stands for the asynchronous parallel composition of processes P 
and Q according to an interleaving semantics with synchronized communication on complementary actions, 
resulting in the internal action r (cf. Rules (Parl)-(Par3)). Similarly, P A Q encodes the conjunction or 
synchronous parallel composition of P and Q , with synchronization on all visible actions and interleaving 
on r (cf. Rules (Conl)-(Con3)). The restriction operator \L prohibits the execution of actions in L U L 
and, thus, permits the scoping of actions. Process P[f] behaves exactly as P where actions are renamed 
according to the relabeling f. The remaining rules define the semantics of our least and greatest fixed-point 
operators. The minimal fixed-point process px.P first, guesses some number k E N that determines how 
often P might be unwound, as encoded by the process pkX.P (cf. Rules (Mul) and (Mu2)) 3 . Here, P[Q/x] 
stands for the process P with all of its free occurrences of variable x substituted by Q. This account of p 

J The restriction to alternation-free processes is made for continuity reasons that are elaborated on later. 

2 LT/( is more expressive that linear-time temporal logic, so the limitation to alternation-free formulas does not impose 
undue expressiveness restrictions. 

3 The presence of unbounded internal choice in Rules (Truel) and (Mul) presents problems for more denotational process 
theories; in LPC it proves not to be problematic because of our exclusively operational orientation. 
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Table 2.1 

Operational semantics 


Truel 

Actl 

Suml 

Disl 

Pari 

Coni 

Par3 

Res 

Mul 

Nu 



a £ A 


a.P -4 P 

P -4 p> 

P + Q -4 P' 


PVQ -4 p 

P -4 P' 

P\Q P'\Q 



P_ 

P' A<? 


P -4 P' Q --+Q' 
P\Q -4 P'\Q> 



a $ L U L 


k£ N 

px.P — > nux.P 

P[vx.P/x\ -4 P 1 
vx.P —4 P' 


True2 


tt -4 0 


Act2 


Sum2 


Dis2 


Par2 


Con2 


Con3 


Rel 


Mu2 


aw — > w 

Q^Q' 

P + Q 4Q' 

PVQ -4 Q 

QAg' 

P\Q -4 P\Q> 

Q -4 (?' 

PAQ4PAQ' 

P -4 P' Q -4 Q' 
P A <2 -4 P' A Q' 

a ) 


4/] ^ P'[/] 

Pfct-itt.P/a:] -4 P' 
»x.P P' 


k > 0 


may be seen as embodying a form of continuity: p is interpreted in terms of its finite unwindings. Because 
of continuity problems associated with alternating least and greatest fixed points, in this paper we only 
consider alternation-free process expressions. The maximal fixed-point process vx.P may unwind its loop 
indefinitely, as is the case for recursion in CCS (cf. Rule (Nu)). Note that the purely divergent process Cl, 
employed in some process algebras [16] for describing infinite internal computation, can be derived in LPC 
as vx.t.x. 

Temporal logics, including LT/i, are capable of specifying inconsistencies or contradictions, i.e., behav- 
iors equivalent to false. From an operational point of view, a process describing an inconsistency is not 
implementable, and thus runs of processes passing through unimplementable states should be ignored. Due 
to nondeterministic choice, a process that can engage in such runs is not necessarily unimplementable itself. 
It is only unimplementable if all of its runs must pass through an unimplementable state. This intuition is 
reflected in the definition of our unimplement. ability predicate, given in Table 2.2, where we write P# for 
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Table 2.2 

Unimplementability predicate # 


1 . llQX.P# 

2. P — > and PAQ-/4 implies PA <5# 

3. Q — > and P AQ -/-> implies P A Q # 

4. P # implies 



• 

a.P# 

• 

P[f}* 

• P\L# 


• 

P A Q # 

• 

QAP# 



• 

P\Q # 

• 

Q\P # 



• 

vx.P # 

• 

px.P# 

• fi k x.P # 

5. 

P # 

and Q # 

implies 



• 

P + Q # 

• 

PVQ# 


6. 

P\p,k-iX.P!x] # implies p, k x.P#, 

for k > 0 

7. 

(Vfc. 

Pkx-Pfh) 

implies 

px.Pff 



P 6 # and where P — » stands for 3P' € P 3a £ M T . P -^4 P'. In particular, a contradiction is present 
within a conjunction P A Q, if the conjunction process cannot engage in any transition, although one of its 
argument processes can (cf. Rules (2) and (3)). As an example, consider process a.OA&.O, for a ^ 6. Further, 
Rule (1) states that the unimplementability of P propagates backwards through prefixing. Note that the 
operational semantics for LPC distinguishes between inconsistent processes that are unimplementable and 
deadlocked processes that are implementable. For example, both processes (a.0|6.0) \ {a,b} and a.O A 6.0 
cannot engage in any transitions. However, (a.O A 6.0) # while -i(((a.0|6.0) \ {a, 6}) #), as desired. All other 
rules are straightforward, except for least fixed-point processes, such as the process pox.P that cannot un- 
wind its body P further and is thus considered to be unimplementable (cf. Rule (1)). Together with Rules (6) 
and (7), this implies that the process hx.t.x, which can engage in finite but unbounded numbers of r’s, is 
actually unimplementable. Indeed, we will identify this process with false and abbreviate it by ff. Finally, 
it is easy to prove via induction on the structure of process terms that P P' and P # implies P' #, for 
any P, P' G P and a G A T . 

The semantics for LPC does not only extend the standard CCS semantics but is also compatible with 
the semantics of Up formulas; see Thm. 3.5. This theorem, however, is not straightforward, and its proof 
requires us to build a rich semantic theory for LPC. Before doing so we first introduce some notation. A 
potential path tt of process P is a sequence of transitions (P; -^4 Pi+i)o<i<k, for some k G NU {ca}, such that 
Po = P. If -'(Pi #), for all 0 < i < k, then tt is called an implementable path, or simply path. We use |7r| to 
refer to k, the length of tt. If |7r| = u), we say that 7r is infinite ; otherwise, tt is finite. Moreover, n is called 
maximal if [k\ < u and P\„\ -f-t. The trace trace(Tr) of tt is defined as the word w := € A°° := A*LiA u , 

where I ^ := {0 < i < |7r| | a; ^ r}. In the case of I n = 0, we let e stand for w = (). Moreover, if tt is finite, 
we also write P P^i for tt. We denote the sets of all finite, maximal, and infinite paths of P by Hfj n (P), 
H m ax(-P), and n u) (P), respectively. We may also introduce according languages for P: 

Tfin(P) := (trace(7r) | tt G nf; n (P)} C A* finite-trace language of P 

Tmax(P) := jtrace(7r) \ tt G n max (P)} C A* maximal-trace language of P 

Cuj(P) '■= {trace(7r) \ tt G n u ,(P)} C A 00 infinite-trace language of P 

The semantic theory to be developed for LPC relies on the notion of divergence, i.e,, a system’s ability to 
engage in an infinite internal computation. In this paper, we employ the traditional notion of divergence 
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as used by DeNicola and Hennessy [11]; more sophisticated definitions may be found elsewhere in the 
literature [6, 26, 28], A process P is divergent, in signs P f|\ if e € C UJ {P). For example, the process 
Q := vx.t.x, is divergent. A process P is called w divergent for some w G A°° , in signs P ff w , if 
3P' € V 3v <fi n w. P =#■ P 1 and P' -ft. Here, <fi„ stands for the prefix ordering on words. We further 
write £di v (P) for the divergent-trace language of P , i.e., £<jiv(P) : = {w £ -4°° I Pit w } • Finally, P is called 
convergent or w-convergent, in symbols P JJ- and P JJ- w, if ->(P -|t) and -i(P It w), respectively. 

2.3. Refinement in LPC. We now turn our attention to a behavioral theory of LPC, which defines a 
behavioral preorder £ on processes such that P £ Q, i.e., Q refines P, if Q is “more defined” than P. The 
preorder is an adaptation of DeNicola and Hennessy ’s must-preorder [11], which was developed within an 
elegant testing theory and distinguishes processes on the basis of the tests they are necessarily able to pass. 
In this context, tests are processes equipped with a special action *J, which are employed to witness the 
interactions a process may have with its environment. In order to determine whether a process passes a test, 
one has to examine the maximal and infinite computations that result when the test runs in lock-step with 
the process under consideration. 

Formally, a test is a process that might use the distinguished success action yj ^ A T . The set of all tests 
is denoted by T. A maximal (infinite) computation u of process P and test T is a maximal (infinite) path n 
of (P[T)\^4, i.e., 7T = ((P;|T,) \ A (P i+ i\T i+ i) \ -4.) 0 <j< i^i ■ Recall that paths only go along implementable 
states. Computation n r is successful if T for some 0 < k < |7r|; otherwise, it is unsuccessful. Finally, 
process P is said to must-satisfy test T, in symbols PmustP, if every maximal and infinite computation 
of P and T is successful. Our variant of the must-preorder can now be defined as follows. 

Definition 2.1 (Must-preorder). For P,Q € V wc let P £ Q if. for all T G T, PmustT implies 
Q must T. 

It is easy to see that £ is a preorder, i.e., that it is reflexive and transitive. Note that this preorder can be 
extended to open terms by the usual means of closed substitution [25]. Moreover, £ satisfies the following 
basic algebraic laws, where « stands for the kernel £ fl (£) _1 of £. 

PROPOSITION 2.2. Let P,Q,R € V. Then, the following holds: 


P\Q « 

<2|P 

(P\Q)\R st 

< p\(Q\R) 

P|0 s 

n P 

P\Q R 

3 Q 

PAQ « 

QAP 

(P A Q) A R R 

i PA(QAR) 

P A tt R 

3 P 

P A ff R 

3 ff 

P + Q w 

Q + P 

{P + Q) PR ft 

> P + (Q + R ) 

P + 0 R 

3 P 

P + Q R 

3 Q 

PVQ « 

QVP 

(p v <5) v P * 

i PV(QVR) 

P V tt R 

3 tt 

PVff R 

3 P 

Further, P A P ? 

s P, PVP 

» P, and P V Q 

£ P. 






It is also easy to see that the divergent process Q does not must-satisfy any tests, except the trivial ones, 
such as v/.O. Hence, it is the smallest process with respect to £. Conversely, process ff must-satisfies every 
test, since it does not possess any computation due to ff#. Consequently, ff is the largest process with 
respect to £. Also tt is a distinguished process in our setting; it is the smallest convergent process with 
respect to £. Thus, we have Q £ tt £ ff 4 . 


4 This ordering is the reverse of the more usual Boolean ordering, which holds that ff is lower than tt. Our ordering is due 
to the fact that must refinement implies reverse language containment. 
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3. Properties of the Must— Preorder. In this section we investigate the utility of our calculus for the 
heterogeneous specification of reactive systems. We show that our must-preorder is a conservative extension 
of the one of DeNicola and Hennessy, provide its characterization in terms of traces and initial action sets, 
investigate its close relation to LT p satisfaction, and finally establish its compositionality properties. 

3.1. Extension of DeNicola and Hennessy’s Must— Preorder. It is easy to see that our must- 
preorder £ is a conservative extension of the original must-preorder £ ml of DeNicola and Hennessy, defined 
on CCS processes [11]. The reason is that their and our definitions of the testing framework coincide on CCS 
processes. Hence, we may formally obtain the following conservativity theorem. 

Theorem 3.1. LetP,Q be CCS processes. Then, P£Q if and only */P£ DII Q- 

3.2. Characterization. We now present a characterization of our must-preorder which will be used for 
obtaining some of our main results. The characterization closely follows the lines of a similar characterization 
of DeNicola and Hennessy’s must-preorder [11]. It uses the notation 1(P) for the set {a G A\ P — I 

of visible initial actions of P. 

Theorem 3.2. Let P,Q be processes. Then P ICQ if and only if for all w G ^4°° such that P If w : 

1. Q If w 

2. H < uj: VQ'. Q^k-Q' implies 3 P' . P P' and l(P') C l(Q') 

|iu| = uj: w G C u (Q) implies w G C W (P) 

Observe that this characterization is also sensitive to infinite traces and not only finite ones (cf. Cond. (2)). 
This is superficially similar to the improved failures model of [7]; the difference is that infinite traces in [7] 
convey divergence information, while they convey convergence information in the above characterization. 

The proof of the above theorem relies on the following four distinguished tests, where k G N, w = 
(ai)o<i<k € A*, v G A u , and a € A. 

1. T$ := a 0 .ai. • • • .a*_i.O | r.-y/.O 

2. T* n := a 0 .(ai. • • • .(afc_i.O + rV-O) • • •) + rV-O) + rV-0 

3. T™ 0 X := ao-(ai. • • • .(aj.—i-aV-O + rV.O) ■ ■ •) + r V-0) + r V-0 

4. Tf := v | t .i/.O 

The intuitions behind defining these tests are as follows. 

Lemma 3.3. Let P be an arbitrary LPC process and 

1. Let w G A*. Then, P if w iff P must T%. 

2. Let w G A* such that P -IJ. w. Then, w ^ Cr, n {P) iff P mustT^f . 

3. Let w G A* such that P IJ- w. Then, w ^ C max (P ) iff 3 a G A. P mustTffff. 

4- Let v G A w such that P if v. Then, v ^ C UJ {P) iff P mustTf . 

The proof of this lemma is not too difficult but tedious; it follows our definition of must-passing tests and 
is similar to the corresponding proof in [9]. Note that the first property can also be carried over to infinite 
words, due to our ‘approximative’ definition of divergence. 

3.3. Extension of LTp Satisfaction. To prove that our must-preorder is also an extension of LT/t 
satisfaction we first recall the standard semantics of LT/c An LT//, formula is interpreted as the set of those 
finite and infinite sequences over A that validate the formula. Formally, the semantics [<I>] £ of a possibly 
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open LT/t term $ is defined relative to an environment £ mapping variables to subsets of A°°. Note that 
our variant of the linear-time /x-calculus [5] can be used to reason about deadlock traces as well, due to our 
inclusion of the atomic proposition 0; this is why we also consider finite traces, in addition to infinite ones. 


[ttf 

:= A°° 

m £ ■■= 0 

lxj £ 

:= S(x) 

[<a>$f 

:= {aw | w e 

[Of 

:= (4 

[px.<S>} £ 

:= p{ T C A°° 


[$i A $ 2 ] £ 

:= [4>iFn[$ 2 F 


:= LK t C A°° 

T C 

[$i V 

:= [4>iF U [4>2F 


In case $ is a formula, i.e., $ is a closed Ufi term, it is easy to see that the environment £ is irrelevant. We 
say that a CCS process P satisfies $, in signs P |= <I>, if all traces of P are included in the traces of [$]. 
Formally, P |= $ if (i) C d \ v (P) Q £div($), (ii) £max(P) C [$], and (iii) C w (F) C [$]. 

Further, LT/.t formulas, when considered as a sublanguage of LPC, possess two important properties. 
First, all formulas $ are convergent, i.e., £div( < I > ) = 0. This is because the internal prefix operator V.’ is 
not available in LT/i. In addition, the atomic propositions tt, ff, and 0 do not give rise to divergence. As 
a consequence, Cond. (i) in the definition of P |= <& above can be simplified to £ d j v (.P) = 0- In particular, 
formula tt is satisfied by convergent processes only, whence P \= tt if and only if C$ W {P) = 0. Second, every 
LT/i formula <f> is purely nondeterministic in the sense that all choices are internal: 

V$', $" Va, /?. $ $ -A <F", t implies a = /3 = T . 

This is due to the fact that disjunction is modeled as internal choice in LPC. 

Proposition 3.4. Let $ be an LTp formula and P a CCS process. Then, <J>EP if and only if 
(i) C div (P) = 0, (ii) £max ( p ) c f-'max ($), and (iii) C^(P) C £„(<!>). 

The proof of this proposition relies on our characterization theorem for £ (cf. Thm. 3.2) and uses the two 
properties of formulas mentioned above. The proposition is the key for establishing the next theorem. 

Theorem 3.5. Let P be a CCS process and <f> an LTp formula. Then, P \= 4> if and only if $ £ P. 

Due to Prop. 3.4 and the definition of |=, it is sufficient to prove that [<f>] = £ ma x($) U £ w ($). This can 
be done along the structure of LT/( formulas, but requires the appropriate extension of the definition of 
languages to open terms. 

3.4. Compositionality. One virtue of process algebras is that they allow for reasoning compositionally 
about processes. Our logical process calculus LPC is no exception. Indeed our must-preorder is compositional 
for all operators, except for the choice operators + and V. This compositionality defect manifests itself in 
many behavioral preorders, including DeNicola and Hennessy’s must-preorder. The largest precongruence C 
contained in £ can be obtained in the standard fashion [11]. 

Definition 3.6 (Must-precongruence). For P,Q e V we write P Q Q if (i) P^Q and (ii) Q 
implies P — 

We can now establish the desired compositionality result. 

Theorem 3.7. The preorder C is a precongruence , i.e., for all processes P,Q such that /' C Q. the 
following properties hold: 
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• a.P C a. Q 

• P R Q R 

• PV R\ZQV R 

• P\R E Q\R 

• PAPCQAP 


for all a £ A • 

for all R £V • 

for all R £V • 

for all R £V • 

for all R £ V • 


P\LQQ\L 

for 

m e Q[n 

for 

PkX.P C PkX-Q 

for 

px.P C fix.Q 

for 

vx.P C vx.Q 

for 


all restriction sets L 
all relabelings f 
all x £ V and k £ N 
all x £ V 
all x £ V 


Moreover, C is the largest precongruence contained in 

The compositionality property can be checked straightforwardly for most operators by referring to Thm. 3.2. 
For asynchronous parallel composition, the compositionality of C follows immediately from the fact that 
PlQmustT if and only if PmustQlT, for all P, Q £ V and T £ T; this is essentially the associativity 
property of | . The proof of the ‘largest’ statement of Thm. 3.7 is standard [11]. 


4. Discussion and Related Work. This section compares LPC to related work and discusses in some 
detail the fundamental differences of the setting presented in this paper to our previous approach [9] . 

Most early related work couples operational and declarative approaches to system specification loosely 
and does not allow for mixed specifications. This includes the large amount of work on relating behavioral 
equivalences or preorders to temporal logics in one of the following ways: (i) establishing that one system 
refines another if and only if both satisfy the same temporal formulas [12, 17, 25, 31]; (ii) translating finite- 
state labeled transition systems into temporal formulas [30]; or (iii) encoding subclasses of temporal formulas 
as behavioral relations via the idea of implicit specifications [23]. Other work, in the field of compositional 
model checking [8, 14, 20] is aimed at supporting a modular approach for reasoning about temporal-logic 
specifications. Several researchers have also considered the inclusion of different fixed-point operators in 
behavioral theories of processes in order to model fairness and unbounded but finite delay [15, 18]. One may 
also find a process algebra with an element similar to our process ff in [2] . 

Diverting from these approaches, advanced frameworks for genuine heterogeneous specifications have 
been developed as well, which can be distinguished whether they are logic/algebraic or automata-theoretic. 


4.1. Logic/algebraic approaches. This category includes the seminal work of Abadi and Lamport, 
who have developed ideas for heterogeneous specifications for shared-memory systems [1]. Their technical 
setting is the logical framework of TLA [22], in which processes and temporal formulas are indistinguishable 
and logical implication serves as the refinement relation. The difference to our setting is that TLA refinement 
is insensitive to deadlock and divergence. While this might not be a problem for shared-memory systems, it is 
not suitable for reasoning about distributed systems, at which our calculus LPC aims. Graf and Sifakis follow 
a similar line in [13]. There, a logic is developed that includes constructs for actions and nondeterministic 
choice, and a logical encoding of operational behavior is given. One establishes that a system satisfies a 
property by showing that the logical formula associated with the system implies the property. 

In a different line of research, Valmari et al. have studied several congruences preserving “next-time- 
less” linear-time temporal logic [27], which may also handle deadlock and livelock [19, 28, 33]. A good 
overview by Puhakka and Valmari on the matters of liveness and fairness in process algebra can be found 
in [29]. This paper also observes that, during system refinement, fairness constraints are often only relevant 
for intermediate systems and are automatically implied when considering the larger system context. It then 
suggests a way to avoid constructing the usually infinite intermediate systems. Our work complements theirs 
in that LPC allows for embedding arbitrary LTL formulas in operational specifications, instead of a specific 
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class of fairness constraints. However, LPC does not avoid reasoning about infinite intermediate systems, since 
we believe that such reasoning poses no problem when employing clever data structures for implementing 
our must-preorder in verification tools. Finally, note that DeNicola and Hennessy’s testing theory [11] has 
also been enriched with notions of fairness [6, 26] to constrain infinite computations in transition systems. 

4.2. Automata-theoretic approaches. Regarding automata-theoretic techniques, the work of Kur- 
shan [21], who presented a theory of w-word automata that includes notions of synchronous and asynchronous 
composition, is of direct relevance to this paper. However, Kurshan’s underlying semantic model maps pro- 
cesses to their infinite traces, and the associated notion of refinement is (reverse) trace inclusion. In theories of 
concurrency, such as in ours in which deadlock is possible, maximal trace inclusion is not compositional [24]. 

The most closely related approach to the one presented here was introduced by the authors in [9] . Bfichi 
automata were employed to uniformly encode mixed operational and declarative behavior, exploiting the 
well-known relation between Buchi automata and LTL [34], We equipped this semantic framework with 
a notion of Buchi must-testing that extends DeNicola and Hennessy’s must-testing preorder from labeled 
transition systems to Buchi automata. The intuition was only to consider those infinite traces as infinite 
computations that go through Buchi states infinitely often, and only to accept those infinite computations for 
which the considered Buchi test declares success infinitely often. The relation of our Buchi must-preorder 
to the LTL satisfaction relation, with the central result intended to be analogous to Thm. 3.5, was then 
established in a pure automata-theoretic fashion by suitably adapting the construction of [34], However, 
our previous approach had several shortcomings which made it unsuitable as a semantic basis for a logical 
process calculus; these are discussed next. 

Most importantly, our paper [9] contained a subtle technical mistake in the analogue of Lemma 3.3, 
which propagated through the paper’s results. In a nutshell, the setup of Buchi testing did not allow us, as 
was intended, to ignore non-Buchi divergent traces, i.e., those infinite internal computations that go through 
Buchi states only finitely often. While most of the results of [9] could be repaired by explicitly observing non- 
Biichi divergence, the framework did no longer reflect the underlying intuition, and it made compositionality 
difficult to achieve for some operators, including parallel composition. Moreover, our identification of ff, 
or other inconsistent specifications, with non-Buchi divergence lead to the invalidity of the desired law 
P V ff an P. The present paper repairs this defect by associating ff with a process that cannot engage in 
any observable transition, nor in any divergence. In order to then distinguish ff from, say, 0 we introduced 
the unimplementability predicate. Similar difficulties arose when interpreting tt as Buchi-divergent process, 
which is why this paper distinguishes between tt and H, making tt the smallest convergent process with 
respect to our must-preorder, while il is still the smallest process overall. 

Indeed, the collection of these insights also allowed us to do aw^ay with Buchi automata as our semantic 
framework for heterogeneous system design altogether. Accordingly, LPC encodes the least and greatest 
fixed-points occurring in temporal logics via labeled transition systems, where the process-algebraic semantic 
rules for least fixed-points reflect the intuition that the recursion under consideration can only be unwound 
finitely often, while a recursion associated with a greatest fixed-point may be unwound infinitely often. 
Hence, in LPC all infinite traces are ‘good’, w^hich means that the expressive power of Buchi automata to 
distinguish ‘good’ and ‘bad’ infinite traces is no longer needed. The result is a process calculus, LPC, in w^hich 
classical process algebras and linear-time temporal logics can be uniformly integrated, as was envisioned 
in [9]. The integration is mathematically elegant, as testified by our compositionality and conservative 
extension results that were established in a pure syntax-driven manner. 
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5. Example: Heterogeneous System Design. This section illustrates, by means of an example, the 
kind of refinement-based system design supported by LPC. The example advocates a heterogeneous style of 
system specification, combining process-algebraic and temporal-logic specifications, and thereby testifies to 
the utility of our calculus. It will be convenient to express temporal constraints by means of formulas in 
Linear-time Temporal Logic (LTL) [27] * a temporal logic that engineers often prefer over the linear-time 
/z-calculus [5]. We thus briefly show how LTL formulas can be encoded in LT/t or, more precisely, in our new 
calculus LPC. 

5.1. Encoding of LTL in LPC. Since we would like to describe action-based distributed systems and 
their deadlock behavior, the variant of LTL studied here includes the atomic propositions a, for a £ A, and 0. 
Note that, in the context of temporal logics, A is always taken to be a finite set. 

T ::= 0 | a | tt | ff | TvT | TAT | XT | XT | TUT | d>V<I> 

The temporal operators X, U, and V are intuitively interpreted as next , until , and release operators, respec- 
tively. Operator X is the dual operator of X, which is a next operator that tolerates deadlocks; note that X 
is not self-dual in the presence of finite traces. An LTL formula $ corresponds to the LPC process {[$]}, 
where the translation function {[•]} is defined inductively along the structure of $ as follows and where x is 
some randomly chosen variable in V. 

ftt]} := tt {[0]} := 0 p! V $ 2 ]} := M V p 2 ]} {[XT]} := \/ aEA a. W 

TO := ff M == o.tt pi A <h 2 ]} := pj A p 2 ]} {XT]} := 0 V V„ 6 ^ «-PJ 

piUTo]} := /ur.p 2 ]} V (pi]} A \l aeA a.x) 

PiVTo]} := ra.p,| A (pj V 0 V Vae.4 a - x ) 

For convenience, we abbreviate formula ffVT by G T (“ generally T”) and ttUT by F T (“ eventually T”), as 
usual. Moreover, we let a => T stand for the process a.T V 0 V V n ^f> that is valid if and only if, for 
all traces of the form aw, trace w satisfies T . 

5.2. Example. Suppose an engineer is expected to design a reliable bidirectional network link in a 
component-based fashion. One might think of this link as a composition of two reliable unidirectional links 
that are closely tied together. In particular, the failure of one unidirectional link should imply the failure 
of the other, which is a typical physical constraint of bidirectional links. The engineer might begin with a 
simple specification of an unreliable unidirectional link, 

ULSpec := ux.wp.(x + f ail. j/y. down. (y V x )) , 

which signals whether the link is up or down, or whether it just failed. In case of failure, the link tries to 

repair itself and, if and once it is successfully repaired, it returns to its initial state. However, a successful 

repair is not guaranteed, whence the process ULSpec may infinitely engage in the down-loop over variable y. 

To obtain a specification RLSpec of a reliable unidirectional link, ULSpec is simply refined by adding 
a constraint imposing a “repair guarantee,” RG := G(fail => Fup), i.e., every broken link is eventually 
repaired and up. We then define RLSpec := ULSpec A RG, which essentially does away with the down-loop 
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in ULSpec. The desired bidirectional link might then be specified as follows: 


BLSpec := ( RLSpec[upl/up, downi/down, sync/fail] 

| RLSpec[up2/up, down2/down, sync/fail] 

) \ {sync} , 

where the synchronization on action fail, via the relabeling to action sync, ensures that the failure of 
one unidirectional link implies the failure of the other. Note that the constraints RG indirectly refer to 
action sync, which is restricted in BLSpec. 

The engineer may now refine the heterogeneous LPC specification BLSpec into a pure CCS implementa- 
tion. The idea is to fulfill the constraints RG by eliminating the down-loop in ULSpec, thus encoding that a 
repair can always be successfully carried out immediately. The implementation of RLSpec might accordingly 
be chosen as the CCS process RLImp := i/x.up.(x + f ail.down..r). We now establish that RLImp indeed refines 
RLSpec in the framework of our must-precongruence. First of all, it is easy to see by our characterization of £ 
(cf. Thm. 3.2) that ULSpec £ RLImp, due to the internal nondeterministic choice in ULSpec. Further, we ob- 
viously have RLImp f= RG. Hence, we may infer by Thm. 3.5 that RG £ RLImp. Because RLImp cannot engage 
in an initial r-transition, we may in summary conclude ULSpec C RLImp and RG C RLImp. By Prop. 2.2, 
which is also valid for C, and by Thm. 3.7, we derive RLSpec = ULSpec A RG C RLImp A RLImp C RLImp, as 
desired. 

When replacing in BLSpec the components RLSpec by RLImp we obtain an implementation of our reliable 
bidirectional link, to which we refer as BLImp. Since C is a precongruence and RLSpec C RLImp, we obtain 
BLSpec C BLImp, i.e., BLImp refines BLSpec, which coincides with our intuition. 

Finally, it is worth mentioning that LPC actually may be seen as a temporal logic that allows for some 
restricted form of branching-time reasoning. For example, the LPC process sync =>■ (downl.tt + down2.tt) 
encodes the property that the system state reached when executing action sync has both actions downl 
and down2 enabled. Observe that, in contrast to downl.tt + down2.tt, the term downl.tt A down2.tt in LPC 
specifies the obvious contradiction that every initial transition is labeled by both actions downl and down2 
at the same time. 

6. Conclusions and Future Work. We presented a novel logical process calculus LPC that integrates 
both classical process calculi, such as Milner’s CCS, and temporal logics, such as the alternation-free linear- 
time p-calculus LTp. The syntax of LPC enriched CCS by operators for synchronous parallel composition 
(conjunction) and nondeterministic choice (disjunction), as well as by minimal fixed-points operators (finite 
unwindings of recursion). The semantics of LPC was given in terms of labeled transition systems and an 
unimplementability predicate, both defined via structural operational rules. A refinement preorder on process 
terms was then introduced, which conservatively extends both DeNicola’s and Hennessy’s must-preorder and 
the LT/U satisfaction relation. Hence, LTp model checking may as well be understood as refinement checking. 
Finally, our must-preorder was also shown to be compositional with respect to all operators in LPC. 

The outcome of our studies is a heterogeneous specification language, which allows system designers to 
specify systems in a mixed operational and declarative style, together with a behavioral preorder that permits 
component-based refinement. We believe that our setting provides groundwork for formally investigating 
those software engineering languages that support heterogeneous specifications as a mixture of operational 
state machines and declarative constraints, such as the Unified Modeling Language [4]. 
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Regarding future work, we intend to study axiomatizations of our must-preorder. We also plan to 
develop an algorithm for computing the must-preorder with the goal of implementing LPC in automated 
verification tools, such as the Concurrency Workbench NC [10]. 
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